Hi all, my employer recently switched from using a dedicated VPN and web sense to Zscaler.
my employer also is BYOD, it was mandated to install Zscaler on my laptop as well as my iPhone. However it seems since this is cloud-based it is always on, and so now even when I am not on work hours this has been at effective blocking things such as discord 100% of the time on all my devices. Is there anyway I can get around this without having to buy a second computer or phone? The only way I can see removing Zscaler for my devices to change jobs which is not realistic…
Zscaler really shouldn’t be installed on personal devices, just corporate owned. If they are having you run ZIA and ZPA on a personal device that is an odd choice.
I think someone overlooked the aspect of always on on BYOD.
This is what I would do. IOS devices present an advantage when dealing with this issue because did not implemented a way to prevent the VON profile from being deleted. In other words, have Zscaler installed on an IOS device and you can always remove the VPN profile and then not only Zscaler but any other VPN client configured as always on will be disconnected due to Apple’s inability to prevent the removal of the profile.
Keep in mind that if your employer installs The client using MDM they could prevent you from removing the profile and then you will be in the exact same sitúa you are at this moment.
1 year later — but your company should have implemented containerization on your mobile device. So, you had a work container that was directed to the zscaler proxy /ZTNA resources. This would separate the personas and your personal data would not be shared with your work.
There is a global disable password for ZCC and also a one time use password to disable it. Both can be provided only by IT admins. Not very convenient way to do it, as global disable password can be used by anyone-anytime, and the one time use password must be sent to users every day. For the notebook I can suggest double boot (one for your work and one for your private use). For the mobile phone device, we use MS Intune with private profile where ZS is installed only on the work profile, so therefore leaving the private side unrestrained. BYOD and ZS is not very good idea.
If your organization paid for your computer probably not much you can do however. You should make an effort for them to unrestrict some access to certain things. Specifically because Zscaler is always on it should block threats from these website assuming there was any so the risk is minimal if they loosen up the restrictions a bit.
Have them disable strict enforcement…so users can turn zcc on in their work hours. It’s pretty odd to have zcc on personal phones unless the mobile phones contain large amounts of proprietary information.
Seems like theyre deploying ZIA and ZPA together for personal devices which seems really odd. ZPA is basically a VPN whereas ZIA is a firewall.
I would read through whatever paperwork they had you sign to check what you agreed to. Understand that they are capturing ALL of your web traffic on your personal devices… SInce they are yours I would ask them at minimum how you can remove these items. They should not have control of your devices in that sense
I agree. There are however ways to separate traffic such as per app VPN or individual browser proxy settings or corporate and personal profiles. Otherwise all traffic gets logged which is a privacy fiasco - I can’t imagine a CISO signing off to that.
I am interested in your statement about why your assume ZPA/ZIA on a personal devices is bad policy? I assumed that ZPA could be turned off/on by the user when ever they want, and when it is off (of course they won’t have any corporate access) zscaler is not monitoring them. I assume their no privacy issues when User Activated Z is off. I am considering zscaler for BYOD, and find more limitations with MDM than the zscaler approach. Your thoughts?
… and if the employees need to use their phones for business then either they should be given business-owned phones that are MDM-managed etc or the business should be using solutions that “containerize” the business data.
Zscaler on a personal device - especially a phone - is a GDPR/privacy nightmare.
ZCC runs as a system service but all the authentication is done on user space. So if you log out from the corporate account on Windows and log in with a different user, ZCC will start but it will not be logged in to any service. Therefore no traffic goes to Zscaler. Just make sure to log out from the windows account and not just switch users.
Even with machine tunnel - I doubt they would capture internet traffic via it. When machine tunnel is on it will only be ZPA. Internet traffic will go direct if not using strict enforcement or other firewall / proxy policies.